I care deeply for them all ;-)
On 7/18/07, Claude Schneegans [EMAIL PROTECTED] wrote:
Unfortunately this may exclude AOL users
Who cares about AOL user? ;-))
--
___
REUSE CODE! Use custom tags;
See
Once the session times out, it won't matter that the same CFID / CFTOKEN
are being used. This is the same exact thing as letting a web page sit
open for a few hours, then refreshing the page and being kicked out of
the session. The Browser makes a request with the CFID / CFTOKEN values
that it has
Ok - supposing a hacker generates a valid session on a site, then invites
others to click on a link with the same cfid cftoken on the url, meanwhile
the hacker keeps the session alive.
Any visiters that click on the hackers link are now sharing their details
with the hacker in the same session in
On 7/17/07, Michael Traher [EMAIL PROTECTED] wrote:
We are currently considering stripping cfid cftoken and jsessionid from the
url scope in application.cfc. This means users must use cookies to use the
site of course.
Any thoughts?
As long as you understand that a user can pretty easily
Michael Traher wrote:
Ok - supposing a hacker generates a valid session on a site, then invites
others to click on a link with the same cfid cftoken on the url, meanwhile
the hacker keeps the session alive.
Any visiters that click on the hackers link are now sharing their details
with the
supposing a hacker generates a valid session on a site, then invites
others to click on a link with the same cfid cftoken on the url
Keep the IP address of the one who created the session in the session
variables, then refuse
any other connection in the same session from another IP.
--
Unfortunately this may exclude AOL users that can end up getting different
IP addresses per request because of the proxy setup they have.
On 7/17/07, Claude Schneegans [EMAIL PROTECTED] wrote:
supposing a hacker generates a valid session on a site, then invites
others to click on a link with
On 7/17/07, Michael Traher [EMAIL PROTECTED] wrote:
Unfortunately this may exclude AOL users that can end up getting different
IP addresses per request because of the proxy setup they have.
I've *HEARD* of that potentially being a problem. But never seen actual proof.
In fact, phpBB does
Unfortunately this may exclude AOL users
Who cares about AOL user? ;-))
--
___
REUSE CODE! Use custom tags;
See http://www.contentbox.com/claude/customtags/tagstore.cfm
(Please send any spam to this address: [EMAIL PROTECTED])
Thanks.
9 matches
Mail list logo